Computer Weekly "CW 360º", © 2001 ComputerWeekly.com Ltd
Why are we in this mess?
By Cliff Saran
As the world braces itself for the impact of the Code Red worm, the key
question for IT professionals is why systems are vulnerable to this kind of
Tuesday, July 31 2001 - Following Tuesday's US government and Microsoft
press conference to highlight the dangers, Ronald Dick, director of the FBI's
National Infrastructure Protection Centre, said getting information out to
users had proved more difficult than he ever imagined. US security officials
were at a loss to know what more they could do to get companies to heed the
warnings, he added. Defence against the Code Red worm is simple. Users simply
have to install a patch from Microsoft.
However, Simon Moores, chairman of the Microsoft Forums, told CW360 that
Microsoft's policy of selling millions of units of insecure software and then
asking users to install the security patch was fundamentally flawed. The key
to the problem for Moores is poor software design that allows anyone from
the mischievous to the malicious and criminal to threaten a crucial part of
the global infrastructure.
"We are relying on Microsoft too much to build
the Internet's infrastructure. There must be a better way,"
he said. According to Moores, several enterprise users were now questioning
their commitment to Microsoft's latest .Net strategy, which largely focuses
on delivering an infrastructure to provide Web-based services over the Internet.
Large enterprises have doubts over security [in Microsoft
software] but they do not know where go to keep their data safe,"
DK Matai, managing director of security firm mi2g software, said many
security risks were the result of proprietary software. "In
the case of Microsoft and other proprietary software, vulnerabilities can
only be repaired once the manufacturer is involved, because the source code
is not openly available," he said.
The backward compatibility of proprietary product means that they are built
in layers over time and this, according to Matai, "is
the Achilles' heel of Proprietary Software. The
Code Red Worm vulnerability amplifies the argument in favour of open software
solutions within large businesses that can afford to have their own software
engineers to develop patches in real time as more and more vulnerabilities
come to light," he said.
Matai believes the future lies in software system solutions that will be
able "to dynamically adapt to the rising threat
in real time". Eventually, he said, "Large
businesses will apply sufficient pressure on proprietary software manufacturers
to release their source code where the vulnerabilities become a cumulative
and regular disruptive feature."